The present invention relates to methods and systems for solving problems with hard-coded credentials without modifying application source code, related configurations, and/or settings.
Currently, complex computer systems require computer applications to interact with each other. The interaction among applications requires authentication that is usually performed by specifying credentials (e.g. username and password). Such a system typically stores the authentication information (i.e. the credentials) as “hard-coded” text in the source code, related configuration files, and/or settings (e.g. environment variables and registry keys) residing in the system.
As an example, three-tiered application-servers, such as BEA™ WebLogic, IBM™ WebSphere, Oracle™ Application Server (OAS), store database credentials in their configuration files or settings as hard-coded credentials in order to implement database-connection pooling.
Hard-coded credentials are considered a security problem in the field since the storage of such credentials is insecure. Exploitation of hard-coded credentials by unauthorized parties may compromise an entire system's security. Furthermore, hard-coded credentials make it difficult to change the credentials in the host application since changing the credentials would require synchronizing the hard-coded credentials used by the requesting application (i.e. the application requesting authentication) with the new credentials.
There are several methods to mitigate some of the hard-coded credentials security problem.                (1) Use authentication other than user/password for the credentials (may not be feasible and/or not supported by many applications).        (2) Obfuscate or encrypt hard-coded credentials.        (3) Store hard-coded credentials in credential files and protect the files.        (4) Store hard-coded credentials in a secured storage.        
Even when mitigation is suggested for the hard-coded credentials problem, applying the solution to the entire system is a complex and expensive project. Systems can typically include over a million lines of source code. Thus, finding all occurrences of the hard-coded credentials in the source code becomes an extremely difficult task. Locating all occurrences of the hard-coded credentials in the source code manually can be practically infeasible.
In addition, systems may include legacy software that can be hard to change or recompile, or, in some cases, include only the executable code (and are missing the source code). Furthermore, the solutions mentioned above in (1)-(4) do not specifically handle credential-change processes which require synchronization. Synchronization is not a trivial task as all the appearances of the credentials have to be changed with the real credentials at the time that the credentials are needed. The difficulties arise in making the synchronization process totally transparent, without any lag time to the system and/or user. Solving the hard-coded credentials problems, and specifically the credentials-synchronization problems, may require application code changes.
It would be desirable to have methods and systems for solving problems with hard-coded credentials without modifying application source code, related configurations, and/or settings.